Configuring security policies - Platform - BlueCat Gateway - 23.1

Gateway Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.1

Specify the HTTP security response headers for BlueCat Gateway.

  • Content-Security-Policy: The HTTP response header that lets website administrators control the resources loaded for a given web page. Content Security Policy (CSP) is an added scecurity layer that helps to detect and mitigate cross-site scripting (XSS) attacks, data injection attacks, and click-jacking.
  • Strict Transport Security: The HTTP response header that lets a webpage tell browsers that it should be accessed using HTTPS, instead of HTTP. As a security best practice, BlueCat recommends enabling this option.
For more information on the Content Security Policy header and how it is used with the HTTP protocol, consult the following:

Follow the steps below to specify the content-security-policy and strict-transport-security response headers for BlueCat Gateway:

  1. Log in to BlueCat Gateway.

  2. Select Configurations > General Configuration.

  3. Click Security.

  4. In the Policy field, specify a valid content-security-policy directive. By default, the policy is set to the following:
    style-src 'self' 'unsafe-inline'.
  5. In the Report URI field, specify a content security policy report-uri directive. This directive tells the user agent where to report attempts that violate the Content Security Policy.

  6. Click the Report Only checkbox. The HTTP Content-Security-Policy-Report-Only response header lets you experiment with policies by monitoring (but not enforcing) their effects. Violation reports consist of JSON documents sent by way of an HTTP POST request to the specified Report URI.

  7. To enforce the use of HTTPS instead of HTTP by browsers, click the Strict Transport Security checkbox. Doing so enables use of the Strict-Transport-Security response header, which tells browsers that the page should be accessed using HTTPS.

    • In Max Age (seconds), set the time in seconds that the browser should remember that that site is only to be accessed using HTTPS on the Max Age (seconds) field. The default value is 31556926 seconds (or 365 days).

    • To specify that the rule applies to all of the site's subdomains, click to select the Include Subdomains checkbox.